Modernize Your PKI → Optimize Productivity → Reduce Risks    |Here’s how to replace Microsoft PKI with EJBCA

  • Home
  • Blog
  • File Server Resource Manager and AD RMS

File Server Resource Manager and AD RMS

You may have heard of the ability back in Windows Server 2008 R2 to use the File Classification Infrastructure (FCI) feature (part of the File Services role) together with the AD RMS Bulk Protection Tool (a command-line tool) to automatically apply rights protections to documents stored on a file server based on things such as key words in the files. That was a nice feature, but a little clunky to use with the command-line AD RMS Bulk Protection Tool. The good news is that the AD RMS integration has now been incorporated into the File Server Resource Manager on Windows Server 2012, eliminating the need for the AD RMS Bulk Protection Tool in this context. The AD RMS Bulk Protection Tool can also be used outside of FCI whenever you need to bulk encrypt or decrypt a batch of files.

In my first experience with the AD RMS features in the File Server Resource Manager, I can report that it has many nice features and a few flaws.

It’s certainly nice that you can apply the AD RMS protections right in the File Server Resource Manager interface. You can set up a File Management Task that either applies a rights policy template to content that matches the rule or you can select permissions manually through the File Management Task interface. The below shows a rights policy template selected:

RMS_FSRM_RMSAction

It’s nice that you can set up File Management Tasks to apply AD RMS protections to documents that match classification rules you’ve set up (such as all documents in a certain directory file system that contain something that looks like a social security number) or just to apply AD RMS protections to documents in a certain directory system based on simple things such as file type (all .docx file) or the numbers of days since creation without having to mess around with creating classification rules (which can get complicated).

It’s convenient that although you need the files to be stored on the Windows Server 2012 server where File Server Resource Manager is installed, you don’t need your entire environment to be at Windows Server 2012 to use this feature. Your Active Directory can still be on 2008 R2 (or older), though you will lose the ability to create classification rules using the resource properties functionality in Windows Server 2012 if your Active Directory environment is not at Windows Server 2012 level.

Something that I missed in setting up rules and couldn’t find (maybe it would be an option if you used PowerShell instead of the GUI to create rules) was the ability to set up File Management Task rules to apply AD RMS protections to documents based on multiple conditions where you get to define whether the conditions use AND or OR logic. For example, “apply AD RMS protections to documents if they match classification rule A OR classification rule B” is very different from “apply AD RMS protections to documents if they match classification rule A AND classification rule B.”

I found the tool skipped some files that should have matched the rules configured and then would find those files on the next run through of the task. In my testing I was running the tasks manually, but when used as intended to run the tasks automatically every X days, files missed on the first automatic run would be picked up on the next automatic run.

I found one big flaw that confounded me for a number of days before I finally sorted it out. If you create a File Management Task to apply AD RMS protections to documents and you choose to add a notification option, which notifies the selected users or administrators before the action occurs, the task to apply AD RMS protections to the documents that match the rule will appear to complete successfully, but AD RMS protections won’t actually be applied to the documents in question.

RMS_FSRM_Notification

The File Management Task will read through the specified directory or directories and identify files to which this rule should be applied, but then not actually “process” the files using the rule. Notice that the below event log message shows three total files found but zero files processed:

RMS_FSRM_EventLog

At this point in order to apply AD RMS protections with the File Server Resource Manager it appears that you must forgo using the notification feature.

All in all, the enhancements to the File Server Resource Manager are a great boon to enterprises trying to protect sensitive content with AD RMS but having trouble getting users to reliably take the action to apply AD RMS protections to sensitive files.